Re: [Freeipa-users] Announcing FreeIPA v3.1.0 Release
On Tue, Dec 11, 2012 at 01:04:37PM -0500, Bret Wortman wrote: This appears to require dirsrv-1.3, which I assume is part of 389-base-devel. I don't see where 1.3 has been made available yet, or am I missing something? Hmm. I'm seeing packages for a 1.3.0-0.1.a1 in Fedora 18, and after a little digging, I find tarballs for it after hitting the Developers page and following the Source link to http://directory.fedoraproject.org/wiki/Source I guess we don't have a final 1.3.0 yet. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Announcing FreeIPA v3.1.0 Release
On 12/11/2012 12:21 PM, Nalin Dahyabhai wrote: On Tue, Dec 11, 2012 at 01:04:37PM -0500, Bret Wortman wrote: This appears to require dirsrv-1.3, which I assume is part of 389-base-devel. I don't see where 1.3 has been made available yet, or am I missing something? Hmm. I'm seeing packages for a 1.3.0-0.1.a1 in Fedora 18, and after a little digging, I find tarballs for it after hitting the Developers page and following the Source link to http://directory.fedoraproject.org/wiki/Source I guess we don't have a final 1.3.0 yet. 1.3.0.a1 has been tested extensively by the freeipa team - I don't think I would recommend using an alpha version in production, but it should be fine for testing/pilot deployments. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Announcing FreeIPA v3.1.0 Release
The FreeIPA team is proud to announce version FreeIPA v3.1.0. It can be downloaded from http://www.freeipa.org/page/Downloads. A build will be submitted to updates-testing for Fedora 18 soon. == Highlights in 3.1.0 == * A single 389-ds instance is used both for IPA identity data and for the dogtag CA server on new installs. * Support for Windows 2012 Server Trusts. * Verify that the IPA certificates are not tracked by certmonger after server uninstallation. * Enable 389-ds transactions. * If chronyd is running on a server disable it and replace it with ntpd by default. * Add new OCSP and CRL URIs to the IPA certificate profile for a new CNAME entry, ipa-ca.example.com. * Fix potential security error in cookie handling in ipa client tool, CVE-2012-5631. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested. Upgrading from a previous version will not consolidate the 389-ds instances. Only new installations get a unified 389-ds backend. Upgraded servers will retain both instances. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed Changelog since 3.0.1 == Ade Lee (1): * Changes to use a single database for dogtag and IPA Alexander Bokovoy (8): * ipa-kdb: Support Windows 2012 Server * Remove bogus check for smbpasswd * Warn about DNA plugin configuration when working with local ID ranges * Resolve external members from trusted domain via Global Catalog * Clarify trust-add help regarding multiple runs against the same domain * ipasam: better Kerberos error handling in ipasam * trusts: replace use of python-crypto by m2crypto * Propagate kinit errors with trust account Endi Sukma Dewata (1): * Configuring CA with ConfigParser. Jakub Hrozek (5): * ipa-client-automount: Add the autofs service if it doesn't exist yet * Make enabling the autofs service more robust * ipachangeconf: allow specifying non-default delimeter for options * Specify includedir in krb5.conf on new installs * Add the includedir to krb5.conf on upgrades Jan Cholasta (1): * Reword description of the --passsync option of ipa-replica-manage. John Dennis (2): * log dogtag errors * Compliant client side session cookie behavior Lubomir Rintel (1): * Drop unused readline import Martin Kosek (18): * Update SELinux policy for dogtag10 * Bump 389-ds-base minimum in our spec file * Add OCSP and CRL URIs to certificates * Stop and disable conflicting timedate services * Create reverse zone in unattended mode * Add fallback for httpd restarts on sysV platforms * Report ipa-upgradeconfig errors during RPM upgrade * Avoid uninstalling dependencies during package lifetime * Remove servertrls and clientctrls options from rename_s * Use common encoding in modlist generation * Process relative nameserver DNS record correctly * Do not require resolvable nameserver in DNS install * Disable global forwarding per-zone * Prepare spec file for Fedora 18 * Filter suffix in replication management tools * Change network configuration file * Improve ipa-replica-prepare error message * Fix sshd feature check Nikolai Kondrashov (1): * Add uninstall command hints to ipa-*-instal Petr Viktorin (12): * Fix schema replication from old masters * Use correct Dogtag configuration in get_pin and get_ca_certchain * Update certmap.conf on IPA upgrades * Properly stop tracking certificates on uninstall * Provide 'protocol' argument to IPAdmin * Make ipa-csreplica-manage work with both merged and non-merged DBs * Use DN objects for Dogtag configuration * ipautil.run: Log the command line before running the command * ipa-replica-install: Use configured IPA DNS servers in forward/reverse resolution check * Make sure the CA is running when starting services * Provide explicit user name for Dogtag installation scripts * Add Lubomir Rintel to Contributors.txt Petr Vobornik (7): *